> Like Russ, I find the statement very difficult to read. Would > inverting it be better? > > > A CA MUST NOT issue authorize issuance if a CAA record is present unless > > the "account-uri" parameter identifies the account making a certificate > > issuance request. See previous reply. Issuance is not determined by the presence of "a" CAA record; there may be multiple and issuance is authorized if any are considered to match the request. Establishing that a specific CAA record is not matched is not a sufficient condition for refusing issuance, because another adjacent CAA record might authorise it. I think any attempt to describe this criterion in terms of specific situational MUST NOTs with regard to a single CAA record is futile.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
